magpie-strategy
Fail
Audited by Snyk on Jun 28, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.80). These are third‑party project URLs (a GitHub repo + raw.githubusercontent links and a project API domain) that instruct users to curl/npx and execute downloaded scripts with auth tokens—not binary downloads but an untrusted download-and-run workflow that can execute arbitrary code, access credentials, or perform unwanted actions, so it is suspicious.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a trading/funds-management agent: it defines trading “books”, wallet environment variables (MAGPIE_PRE_LISTING_WALLET, MAGPIE_GRADUATION_WALLET), cross-margined wallet handling, margin limits, order execution details ("FEE_OPTIMIZED_LIMIT entries + exits, taker-true"), position sizing and leverage, and persistent state for flips/conversions. It also names and forbids direct execution tools for user sessions (create_position, close_position, edit_position, cancel_order, strategy_close, etc.), which implies those tools exist and are used by the producer/engine. These are direct market-order and position-management capabilities (i.e., moving money/placing/canceling trades), not generic helpers — therefore this grants Direct Financial Execution Authority.
Issues (2)
E005
CRITICALSuspicious download URL detected in skill instructions.
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata